System Overview
-
- Operating System: Windows Server 2019 with RADIUS role
- Hardening Configuration: TLS Protocols and Cipher according to Mozilla Intermediate
Problem
After applying the hardening configuration WLAN clients could not authenticate to RADIUS and therefore not connect to the wireless LAN.
Cause
RADIUS in our case uses EAP-TLS as authentication protocol. As defined in rfc5216 section-2.4 EAP-TLS requires the cipher suite TLS_RSA_WITH_3DES_EDE_CBC_SHA.
Further it recommends supporting TLS_RSA_WITH_RC4_128_SHA and TLS_RSA_WITH_AES_128_CBC_SHA [RFC3268]
Solution
Add the cipher suite TLS_RSA_WITH_3DES_EDE_CBC_SHA to the end of the cipher suites list.
Check
After applying the updated hardening configuration try to login to the WLAN.
References
-
- https://www.rfc-editor.org/rfc/rfc5216#section-2.4
- https://framebyframewifi.net/2016/06/13/hardening-tls-for-wlan-802-1x-authentication/
- https://mike-graham.co.uk/blog/2017/10/04/how-to-improve-the-security-of-npsradius/
- https://learn.microsoft.com/en-us/windows-server/security/tls/manage-tls
- https://learn.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel